image: 25 most common passwords in 2018. List from wikipedia: https://en.wikipedia.org/wiki/List_of_the_most_common_passwords

It's time for the computer password to die.

Remember when you could get away with a password like "P4sSw0rd!_123"?? We used to think that the complexity introduced by these substitutions and elaborations would protect us from hackers. But modern computers are so fast that even truly random passwords can often be cracked by brute force -- i.e., trying every possible combination of characters.

There's a great irony here. In the name of security, "we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess." (as Randall Munroe memorably put it.)

So what can be done? Easy: switch to using passphrases, wherever you can. A passphrase consists of a number of common words (usually 4 or more), strung together into a phrase. Here's one: "barrel crown punk radiance." Simple, right? The surprising thing is that a well-constructed passphrase is generally more secure than most passwords. The math is pretty simple -- skip the next two paragraphs if you're not interested.

Consider an 8 character password, which can contain uppercase or lowercase letters or any of 10 symbol characters. That's (26 x 2) + 10 = 62 possible characters. For an 8 character password, there are 62^8 unique passwords, or about 2 x 10^14. If you're using the substitution tricks mentioned above rather than a truly random password, the number of possible passwords is much lower than that, and your security is correspondingly lower.

Now consider a passphrase, chosen randomly from a well-constructed list of 7,776 words. (Why 7,776? It's an interesting story). Four a four-word passphrase, there are 7,776^4 unique possibilities, or 3.7 x 10^15, easily beating a random 8 character password. Adding a fifth word gets you to 2.8 x 10^19 possible passphrases.

So: passphrases offer greater security, and they are easier to memorize. Which would you rather try to remember -- "m4rX&KiL", or "barometer directory earmuff yonder"? The downside for a passphrase, of course, is more characters to type. That's a tradeoff I'm willing to make.

Passphrases are not suitable for all applications -- many websites will not take them -- but there are a few jobs where they truly shine. I use one for my network login at work. According to the Electronic Frontier Foundation, you should consider using passphrases as keys for encrypting your hard drive, and also for the master key to your password manager. (You are using passwordmanagementsoftware, right???)

Are you ready to try passphrases? I created a JMP add-in you can use to generate random passphrases from 3 to 6 words long. Please give it a try and let me know what you think.